Symantec-Sponsored Ponemon Report Finds Negligent Employees Top Cause of Data Breaches in the U.S.

March 21, 2012

Symantec and the Ponemon Institute released findings of the 2011 Cost of Data Breach Study: United States, which reveals negligent insiders are the top cause of data breaches while malicious attacks are 25 percent more costly than other types.

The study also found organizations who employ a chief information security officer (CISO) with enterprise-wide responsibility for data protection can reduce the cost of a data breach by 35 percent per compromised record. The organizational cost of a data breach was $5.5 million last year. The seventh annual Ponemon Cost of a Data Breach report is based on the actual data breach experiences of 49 U.S. companies from 14 different industry sectors.

Key findings include:

Negligent insiders and malicious attacks are the main causes of data breach. Thirty-nine percent of organizations say negligence was the root cause of the data breaches. For the first time, malicious or criminal attacks account for more than a third of the total breaches reported in this study. Since 2007, they also have been the most costly breaches. Accordingly, organizations need to focus on processes, policies and technologies that address threats from the malicious insider or hacker.

Certain organizational factors reduce the overall cost. If the organization has a CISO with overall responsibility for enterprise data protection the average cost of a data breach can be reduced as much as $80 per compromised record. Outside consultants assisting with the breach response also can save as much as $41 per record. When considering the average number of records lost or stolen, all of these factors can provide significant and positive financial benefits.

Specific attributes or factors of the data breach also can increase the overall cost. For example, in this year’s study organizations that had their first ever data breach spent on average $37 more per record. Those that responded and notified customers too quickly without a thorough assessment of the data breach also paid an average of $33 more per record. Data breaches caused by third parties or a lost or stolen device increased the cost by $26 and $22, respectively.